Find out more about how we use patient information at Gloucestershire Hospitals NHS Foundation Trust. This notice will also apply, where appropriate, to information we hold about patients’ carers relatives and next-of-kin.
What information do we collect from you
Records which this Trust may hold about you may include the following:
- Details about you, such as your address and next of kin
- Any contact the Trust has had with you, such as appointments, clinic visits, emergency appointments, etc
- Notes and reports about your health
- Details about your treatment and care
- Results of investigations, such as laboratory tests, x-rays, etc
- Relevant information from other health professionals, relatives or those who care for you
Coronavirus (COVID-19) self isolation
Information about patients’ coronavirus (COVID-19) status may be shared with NHS and other partners involved in their care and treatment, along with:
- NHS England
- Public Health England
- the Department of Health
- other government departments where it's legally required, or were it's necessary for the protection of public health or management of the outbreak
The lawful basis is GDPR Article 6(1)(c), compliance with a legal obligation, or Article 6(1)(e), that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (the provision of statutory health care services).
The exemptions in GDPR Article 9(1)(g) and 9(2)(h) will be applied, that processing is necessary for matters of substantial public interest or for the management of health care systems.
The conditions in paragraphs 2 (management of health care systems), 3 (public health) and 6 (statutory and government purposes) of schedule 1 of the Data Protection Act 2018 are engaged.
Where a patient has tested positive for COVID-19, the results of the test may also be notified to next-of-kin, partners, or people the patient may live with.
Why do we collect your information?
We collect your information to enable us to provide you with health and social care services . However, your information may also be collected for other purposes that you should be aware of, such as CCTV recordings used for crime prevention, or if you make a complaint/enquiry or if you complete a survey. We will also use your information to contact you to see if you would like to be involved in medical research trials that might be relevant to you. In all situations the Trust is required to comply with data protection law.
Our staff may check your details with you to ensure they are up-to-date and correct. This is important to avoid errors in your care or treatment. So, if your details have changed (such as your name or address) you need to let us know.
In addition to using patient information for managing your care it may be used for some additional purposes including:
- clinical audits and other quality improvement projects/activities. We work towards continually improving the standard of care we provide. To do this we need to review the clinical work we do. This is typically done using a process known as Clinical Audit. Access to your patient records for this purpose is monitored and only anonymous information is used in any reports that are produced.
- approving payments where you have an individually commissioned care plan
- recovering costs if you are an out of area patient and some other NHS organisation is responsible for the cost of your care
- contribute to service development (the Trust may contact patients to raise awareness of the Trust's designated charities, but will not share personal data with them without consent)
- prepare statistics on NHS performance;
- internal and External audit of Trust accounts
- helping to train health professionals. The information you give us is vital in helping us to educate the health workers of the future. However, you always have the right to choose whether not to have students present during a consultation.
- health research and development unless you have opted out of such use. For information about opting out please see the NHS Your Data Matters website
Your contact details may be used to contact you by SMS or an Interactive Voice Phone call to obtain feedback on your experience in using Trust services in accordance with the NHS Friends and Family Test (FFT). You will be able to opt-out of participating when you are first contacted. The lawful basis for using your information for this purpose is that it falls within our official authority as a health service provider as we have a contractual obligation to run the FFT. In addition we have a statutory duty under the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to assess and monitor the quality of the experience of service users. Your responses to the FFT will be anonymous and will not be traced back to you.
You can also find out more about how the NHS uses and looks after patient data at Understanding Patient Data
Who might we share your information with?
The Trust may decide it is appropriate to share your information with other organisations or professionals involved in your care so that you receive good quality care and to prevent you being assessed again or being asked the same questions. Ordinarily information kept by the Trust will be made available to your GP. The Trust works with many partner organisations such as Social Care services, educational bodies, housing associations, voluntary and community organisations. Staff should discuss with you what information they are sharing, why and with whom.
We will only consider sharing information with other organisations or professionals where we consider it an important part of delivering effective care. However, you have a right to object to your information being shared.
There are exceptional circumstances whereby the Trust may share information about you without your knowledge, for example, in an emergency where you or someone else might suffer substantial harm or distress, where it relates to a 'communicable disease' (such as cholera, plague, smallpox, etc.) or if information is required by law (such as a court order).
Information about carers and relatives of deceased patients may be shared with Health Quality Improvement Partnership Ltd and NHS Benchmarking for the purposes of the National Care at the End of Life (NACEL) Quality Survey. This will be done in a way which does not directly identify them. For more information please see the NHS Benchmarking Fair Processing Notice.
The Trust provides Patient Level Costing Information to NHS Digital to enable NHS Improvement to perform its statutory pricing and licensing functions effectively. This does not include any information relating to In vitro fertilisation (IVF) and gender recognition services. The legal basis for the provision is compliance with a statutory duty as NHS Digital requests the information using its power under section 259 of the Health and Social Care Act 2012. A copy of the Data Provision Notice is available on request email@example.com
For further information about how the NHS uses this data please see the NHS Digital website.
Reasonable Adjustment Flag
If you have agreed to have a Reasonable Adjustment Flag on your national NHS records we may add to, or update information on, this with your agreement which will be available to other NHS Organisations assisting in your care.
South Central & West Child Health Information Services (SCW CHIS)
For the purposes of providing medical services to, and the safeguarding of, children the Trust shares Maternity Department Data and Newborn Hearing Screening Data with the SCW CHIS.
The SCW CHIS is a Public Health Service commissioned by NHS England to maintain active and accurate child health records for the local population including children who move in and out of the area; manage queries about the health status of individual children and populations; check who has not yet had their interventions; and ensure that no interventions are duplicated or unintentionally missed.
Information is shared with NHS England and other participating health service providers. Information may be made available through the service to NHS Providers/NHS Business Partners including Local Authorities under an NHS Contract to deliver Child Health Services including Health Visitor teams, Looked After Children co-ordinators, School Nursing Teams, Acute (including Maternity Departments/Units), Newborn Bloodspot Laboratory, Newborn Hearing Screening Providers, Newborn Infant& Physical Examination (NIPE) providers, Vision Screening Providers, and Mental Health and Community Health service providers who are engaged in delivering services to children.
All parties participating in the SCW CHIS have signed specific Data Sharing Agreements to control their access to this patient data. A copy of the Trust’s agreement is available on request. For further information please see the SCW CHIS Privacy Notice.
Take a look at this list of partner organisations of the Trust's main information sharing partners.
What other information about you do we process?
As well as information that you provide to us directly, we also access and use information from other sources to help us provide you with safe and effective health and social care. This may include, for example:
- Your summary care record (SCR) extracted from your GP’s records unless you have opted out of having an SCR. Please follow the link for more information about your SCR
- Information held under a 'Reasonable Adjustments Flag' if you have agreed to have one. You can find out more about this from NHS England
- Additional information from an SCR where you have consented to have this added. This could be about how you would like to be treated, such as where you would prefer to receive care, what support you might need, or who should be contacted for more information about you. The Trust may also update this information with your consent. Use the link to find out more information about adding additional information
- Joining Up Your Information (JUYI): JUYI is a shared care record system for GPs, hospitals, community health, mental health and social care teams which allows the Trust, unless you have objected, to access information from health and social care professionals in Gloucestershire where this is for the purposes of your care. See also JUYI Privacy Notice
- Child Protection Information Service (CP-IS): When a child is known to social services and is a Looked After Child or on a Child Protection Plan, basic information about that plan is shared securely with the Trust by Social Services.
- Other information from NHS providers including your GP Surgery about health care that you have received previously and from partner organisations such as Social Care, housing associations, charities and voluntary and community organisations
How long do we keep your information?
There is a requirement for the Trust to hold a record of your information for a set length of time (which varies according to the type of information that it is). You can find further information on the rules that the Trust must follow in this document created by the Information Governance Alliance – see ‘Records Management Code of Practice for Health and Social Care 2016’).
Where is my information stored?
Some health records are held in paper form but increasingly parts of your health records are now stored electronically as the NHS strives to become paperless.
Almost all electronic records are stored in the UK. However, for a very small minority of services some information may be sent and stored abroad, such as out of hours radiology reporting where information is securely transferred to Australia. We make sure that where information is stored abroad, it has the same level of legal protection as it would if it were stored here.
How we use your information: legal aspects
The ways in which we use your information are governed by law. The principal legislation that applies is the EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018 and has been incorporated into the Data Protection Act 2018. We are required to identify the legal basis under GDPR for processing your information.
In addition, confidential information about you that you give to our staff to enable them to provide your care is governed by the common law duty of confidentiality, as described in our Data Protection and Confidentiality Policy:
- When your information is used or shared for your direct clinical care and related administrative purposes, we rely on Article 6(1)e GDPR - processing is necessary for the performance of a task carried out in the exercise of official authority. The exception in Article 9(2)h of the GDPR - processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services – allows us to use your health data for these purposes.
- In addition we hold health records under Article 6(1)c of the GDPR – processing in compliance with a legal obligation. We have a duty under Regulation 17(2)(c) of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 to keep an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken . We may also use your information if necessary for the purposes specified in the other parts of Regulation 17(2). As above, the exception in Article 9(2)h of the GDPR applies in these cases.
- When there is a legal requirement that we provide specified data to NHS Digital for example, for secondary (indirect care) purposes, we rely on Article 6(1)c of the GDPR – processing in compliance with a legal obligation. In cases where the common duty of confidentiality cannot be satisfied through consent this is done with approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006. The exception in Article 9(2)h of the GDPR referred to above also applies
In respect of medical research, in most instances we rely on Article 6(1)e as above, and the exception in Article 9(2)j of the GDPR for research purposes, if and when we use your information for research. On occasions the legal basis may be your explicit consent. If you have formally consented to take part in research, this will satisfy the common law duty of confidentiality. Where it has been impracticable to obtain your consent this is again done with approval from the Secretary of State via the Confidentiality Advisory Group under Section 251 of the National Health Service Act 2006.
What are my rights?
The Data Protection Act gives you certain rights in respect of the information we hold about you. Select a topic below for further information:
- Request a copy of information that we hold about you (read more about how to access a copy of your health record)
- Object to the Trust using your personal data
- Request to have your personal data rectified
- Request to have your personal data erased
- How to submit a request
The Trust may refuse your request (in full or in part) where there is a legal basis to refuse and you will be notified of this.
Object to the Trust using your personal data
You have the right to object to the Trust using/sharing your information, however, there is no automatic right to prevent the Trust using/sharing your information.
Objections will be considered and you will be notified of the Trust’s decision and reason for its decision.
Where we have asked for your consent to collect and use your information, you have the right to withdraw that consent at any time.
Request to have your personal data rectified
You are entitled to have personal data rectified if it is inaccurate or incomplete.
The Trust must respond within 30 calendar days. However, the Trust may extend this period up to 60 calendar days for complex requests.
The Trust may refuse the request if it believes the information is accurate/complete or there is a legal basis to refuse and you will be notified of this. You have the right to complain to the Information Commissioner’s Office and to seek correction by order of a Court.
Request to have your personal data erased
This is more commonly known as the ‘right to be forgotten’. You may request to have your data erased where:
- It no longer needs to be kept by the Trust (it has surpassed the minimum retention period)
- Where you withdraw your consent or object to the use of your data and there is no requirement for the Trust to retain the data
- It has been used unlawfully
- The Trust must comply with a legal obligation
- You are under 16 and data has been stored electronically by the Trust at your request
The Trust may refuse your request (in full or part) where there is a legal basis to refuse and you will be notified of this.
How the Trust ensures information is used appropriately
The Trust is required to provide evidence of the steps it takes to ensure information is used appropriately. Find out more
Whenever the Trust changes the way it manages personal data it carries out an assessment, and if any significant risks to privacy are identified a full Data Protection Impact Assessment is carried out as required by the General Data Protection Regulation. Copies of these are available on request in accordance with our Publication Scheme. You can also request copies of any Data Sharing Agreements we have entered into with our partners which we describe in the section “Who might we share your information with?” above.
What to do if you have concerns about the use of your information
- You can contact the Trust’s Information Governance lead
- Caldicott Guardian email: firstname.lastname@example.org
- Trust’s Accountable Officer: Deborah Lee
- or the Data Protection Officer
If we can’t resolve your concern, you have the right to lodge a complaint with the Information Commissioner's Office